Cybersecurity Q&A: What’s Your Firm’s Data Breach Response Plan?

September 12, 2017

Keeping your firm’s data secure is paramount. Lawyers must be aware of the dangers of a data breach and be ready to respond at a moment’s notice. What should you do if your firm gets hacked? We spoke with Paul Alvarez and Jim Bitzes, senior managers in the fraud investigation and dispute services practice group at Ernst & Young LLP, about how firms can best prepare for a data breach scenario. On August 21 Alvarez and Bitzes led the panel on the D.C. Bar CLE course “You've Been Breached: Now What? Advising Your Clients on Cybersecurity Issues.”

Tell us more about what you covered in the CLE and why they’re important.

Bitzes: For this CLE we created a scenario [that] included several issues, not just a traditional concept of a breach. One of the things we included was the malicious insider element to try to broaden people's perspectives in what potential threats are out there. Sometimes people forget that the ultimate endpoint in cyberspace is the human. We want to get folks thinking about not just the IT side but the human side of what can go on and what does go on with a high degree of frequency in these scenarios.

Alvarez: We also highlight the things that are not technical in nature but are huge considerations for responding to a breach or insider event. There's always the focus on hardening the environment, monitoring the perimeter, and determining what kind of threat intelligence is needed to detect risks earlier. Those are all important, but there's also a component of non-technical controls [that] need to be put in place to mitigate these issues. Onboarding, personnel screening, policies and procedures, exercises – all of those are extremely important, and we bring these elements to the forefront.

Why is cybersecurity critical to firms?

Bitzes: For starters, all attorneys must comply with the ABA Model Rules of Professional Conduct. We have a duty to protect the confidences of our clients, and lawyers hold the privilege of attorney – client privilege and client confidence in high esteem. Our clients want to know that they can depend on us to protect the confidentiality of their data, especially in a law firm environment.

Where can attorneys start in embracing the concept of cybersecurity?

Bitzes: To start, don't be afraid of the technology. You need to understand the environment you're trying to operate within. You don't have to necessarily go out and get a degree in cybersecurity or IT, but you do have to educate yourself to a degree that you can competently opine.

Alvarez: I think it's important for attorneys to become extremely familiar with the company's incident response plan, and if they don't have one, they should be driving the company to create one. They should understand their role in the plan, what steps need to be taken if a breach happens, at what point the incident should be escalated, when legal counsel should be brought in, and so forth.

I also encourage them to interact as much as possible with security professionals. Get involved in tabletop exercises, review lessons learned from previous incidents to see what they did right or wrong and how they can improve the process, and get a feel for the types threats the firm faces on a regular basis and how quickly they respond to those threats.

How should firms respond to a data breach?

Alvarez: The first moments during a breach are crucial. Here are some key elements:

Have a breach response plan and stick to it.

Make sure your firm has a person who will take the lead and coordinate a response to the breach.

Use tested and exercised procedures, and start methodically piecing the situation together.

Scope the breadth and width of the compromise as best as possible, and determine the impact and the steps to recover.

Determine what kinds of data needs to be preserved for analysis and investigative purposes, especially when an insider is involved.

Communicate. Make sure that the key impacted clients know what’s going on, both internally and externally, and are informed on a timely basis to ensure everyone’s on the same page. Have a process for establishing and maintaining privileged communication.

Final thoughts?

Bitzes: 2016 saw our largest number of breaches to date. The problem isn't going away anytime soon. I think that it’s vitally important to take this seriously. It's not a matter of if you're going to be breached, but when. Your ability to continue to thrive, operate, and be resilient in this environment is dependent on the actions you take before the event happens.